I have some Nexus switches deployed in my network. They are authenticating user access via TACACS/ACS (4.2). I would like to get the user role part working as currently any users logging in get defaulted to a network-operator role so doen't have full configuration ability. Reading the Nexus guide I see that this is achieved by somehow using, the following cisco vsa :
Can anyone help me to understand specifically how to get this configured. I guess that on the ACS somewhere I need to return this attribute for a user. However I can't see where its configured. I have been through the ACS admin guide but its not clear to me.
You can configure this attribute per user or per group.
First, go to Interface Configuration -> TACACS+ and enable "Display a window for each service selected in which you can enter customized TACACS+ attributes".
Next, go to the user or group where you want to grant this role and check the box next to "Shell (exec)" and in the custom attributes field below add the role assignment.
Note: if you will be authenticating on both NX-OS and IOS devices, use * instead of = to make the role optional or the IOS devices will fail authorization.